Forensic system, forensic method, and forensic program

ABSTRACT

Embodiments of the inventive concept can extract digital document information related with a specific individual to achieve a work load reduction associated with evidentiary material preparation for litigation. A specific individual is selected from at least one individual included in user information. Only digital document information which was accessed by the specific individual is extracted based on access history information regarding the selected specific individual. Additional information indicating whether or not document files in the extracted digital document information are each related with the litigation is set, and a document file related with the litigation is outputted based on the additional information.

CROSS-REFERENCE TO RELATED APPLICATIONS

This U.S. non-provisional patent application is a continuation of U.S.patent application Ser. No. 13/514,966, filed Jun. 8, 2012 which claimspriority to U.S. National Phase Application of PCT InternationalApplication PCT/JP2011/057141, filed Mar. 24, 2011, which claimspriority to Japanese Patent Application No. 2010-075960, filed Mar. 29,2010, the disclosure of which is incorporated herein by reference in itsentirety.

BACKGROUND

1. Technical Field

Embodiments of the inventive concept relate to a forensic system,method, and program, and in particular, to a forensic system, method,and program for collecting digital document information relating tolitigation.

2. Background Art

Conventionally, when a crime or a legal conflict relating to a computersuch as unauthorized access or leakage of confidential information orother so-called “forensic” events occur, a means or a technique forcollecting and analyzing devices, data, or electronic records requiredfor investigation into the cause of or to otherwise clarify legalevidences thereof have been proposed.

Particularly, in civil litigation in United State of America, since sucha procedure as eDiscovery is required, both a plaintiff and a defendantinvolved in the litigation must submit all related digital informationas evidences. They also need to submit digital information recorded incomputers and/or servers as evidentiary material as well.

Due to the rapid development and spreading of information technologies,most information that is being produced in today's world is beingproduced or otherwise replicated by computers, such that massive amountsof digital information are generated, even within the same company.

Therefore, in the preparation work of gathering evidentiary material forsubmission to a court of law or other party, mistakes can occur whereeven confidential digital information, which is not necessarily relatedwith the litigation, is nevertheless inadvertently submitted togetherwith the evidentiary materials, which can cause legal waiver issues andother problems.

In recent years, techniques related to forensic systems have beenproposed in JP-A-2006-178521 and JP-A-2007-148731. JP-A-2006-178521discloses a forensic system where identification of a wrongdoer can beperformed efficiently by a method which allows testimony to evidentiaryconservation, whereby reliability of the identification is robustagainst human factors.

JP-A-2007-148731 discloses a forensic system where a forensic relatedsystem performs an ex-post handling, such as identification of acriminal, in connection with a legal action or determination such as anamount of loss compensation in an information damage insurance system,which pays insurance coverage due to leakage of personal information.

However, the conventional forensic systems of JP-A-2006-178521 andJP-A-2007-148731 disclose that in the collection of digital documentinformation related with a specific individual, they may specifyaccessible digital document information by the individual to collect allthe information. However, due to the broader access right, a vast amountof information is eventually collected.

Further, when all the information set with an access right to theindividual is collected, if the individual's position is higher withinan organization, the access right tends to be set broader, so that anenormous amount of electronic documents, which are not related with thelitigation and which were not actually browsed by the individual areeventually collected.

As a result, too much work and cost are required for analyzing andevaluating documents to find only the documents that are related withthe individual from the vast amounts of collected information.

SUMMARY

The inventive concept provides a forensic system, method and program foranalyzing digital information which was accessed by an individualrelated with litigation without analyzing all of the digital informationto which the individual may have an access right.

In an aspect of the inventive concept, there is provided a forensicsystem which acquires digital information recorded on a plurality ofcomputers or a server to analyze the acquired digital information. Theforensic system may comprise: a digital information acquiring unitconfigured to acquire digital information containing digital documentinformation composed of a plurality of document files, to acquire userinformation about users using the plurality of computers or the server,and to acquire access history information which shows a fact that theusers accessed a document file recorded in the server; a recording unitconfigured to record therein digital information acquired by the digitalinformation acquiring unit; a display unit configured to display therecorded digital information; a specific-individual selecting unitconfigured to select, via the display unit, a specific individual fromat least one user contained in the user information; a digital documentinformation extracting unit configured to extract only digital documentinformation which was accessed by the specific individual based on theaccess history information related with the selected specificindividual; an additional information setting unit configured to set,via the display unit, additional information indicating whether or notdocument files in the extracted digital document information are eachrelated with litigation; and an output unit configured to output adocument file related with the litigation based on the additionalinformation.

The term “access history information” means information showing that auser which uses any of a plurality of computers accessed the digitaldocument information recorded in the server. For example, access historyinformation may include a user ID indicating who the user is, and accessinformation indicating when and which digital document information theuser has accessed.

The term “digital information acquiring unit” means a unit which mayacquire digital information recorded in a plurality of computers orservers. For example, a method for acquiring the digital information mayinclude a method for copying digital information recorded in thecomputers or the server in an electronic medium to copy the digitalinformation in a forensic system via the electronic medium, and/or amethod for connecting the computers or the server and the forensicsystem to each other via a network line to copy digital informationrecorded in the computers or the server in the forensic system, therebyperforming preservation of digital information. Moreover, the digitalinformation acquiring unit may include a unit to acquire second digitalinformation including second digital document information, second userinformation, and second access history information, the second digitalinformation being recorded in a second server which is different fromthe above-described server. The forensic system of the inventive conceptmay be a system which can use not only the above-described digitalinformation but also the second digital information to extract thesecond digital document information based on the second access historyinformation.

In one aspect of the inventive concept, the forensic system may furthercomprise a text information extracting unit configured to extract textinformation for each of the plurality of document files from therecorded digital document information; a keyword selecting unitconfigured to select a keyword; and a searching unit configured tosearch a document file including the selected keyword based on theextracted text information, wherein the additional information settingunit is configured to set additional information to the searcheddocument file.

In one aspect of the inventive concept, the forensic system may furthercomprise a data converting unit configured to convert recorded documentfiles in the digital document information in the recording unit into apredetermined data format, wherein the document files converted by thedata converting unit are processed with the same data format as theconverted data format in a period before it is outputted by the outputunit.

In another aspect of the inventive concept, the forensic system mayfurther comprise a statistical data producing unit configured to producestatistical data represented by data size for each data format of theacquired digital document information, or statistical data representedby data size for each data format of the searched digital documentinformation.

Further, the forensic system of the inventive concept can comprise aclock unit which, when digital information is newly acquired, isconfigured to clock a time and date of the acquisition of the digitalinformation, the digital information further including folderinformation saving the digital document information, wherein the digitalinformation acquiring unit is configured to acquire the digital documentinformation and the folder information which were produced after a timeand date previously clocked by the clock unit, and is configured toacquire user information and access history information related with theacquired digital document information and folder information.

The term “server” may mean one or more servers, or a combination of aplurality of servers. Further, for example, the server may include atleast two of a mail server, a file server, and a document managingserver.

The configuration of the forensic system may include a plurality ofservers, where the digital information extracting unit and the searchingunit are separated to the various servers, respectively, and theseparate servers of the forensic system are further connected to eachother via a network.

The forensic system of the inventive concept can be provided with aplurality of additional information setting units where additionalinformation can be set by different operators.

The term “display unit” may mean a display device to display digitalinformation. Further, the term “displays the recorded digitalinformation” may mean displaying all of the user information, thedigital document information, and the access history information,displaying at least one of these, or displaying at least one attribute(e.g., names of users, names of document files, individuals whichconducted access, access time, and/or document files).

The term “output unit” may mean any suitable unit to output or otherwiseproduce digital document information. For example, the output unit maybe a printer or a device to produce a digital document file.

In another aspect of the inventive concept, there is provided a forensicmethod for acquiring digital information recorded on a plurality ofcomputers or a server to analyze the acquired digital information. Themethod may comprise: acquiring digital information containing digitaldocument information composed of a plurality of document files,acquiring user information about users using the plurality of computersor the server, and acquiring access history information which shows afact that the users accessed a document file recorded in the server;recording the acquired digital information; displaying the recordeddigital information; selecting a specific individual from at least oneuser contained in the user information; extracting only digital documentinformation which was accessed by the specific individual based on theaccess history information related with the selected specificindividual; setting additional information indicating whether or notdocument files in the extracted digital document information are eachrelated with litigation; and outputting a document file related with thelitigation based on the additional information.

In one aspect of the inventive concept, there is provided anon-transitory forensic program for acquiring digital informationrecorded on a plurality of computers or a server to analyze the acquireddigital information, for causing a computer to execute: a function ofacquiring digital information containing digital document informationcomposed of a plurality of document files, acquiring user informationabout users using the plurality of computers or the server, andacquiring access history information which shows a fact that the usersaccessed a document file recorded in the server; a function of recordingthe acquired digital information; a function of displaying the recordeddigital information; a function of selecting a specific individual fromat least one user contained in the user information; a function ofextracting only digital document information which was accessed by thespecific individual based on the access history information related withthe selected specific individual; a function of setting additionalinformation indicating whether or not document files in the extracteddigital document information are each related with litigation; and afunction of outputting a document file related with the litigation basedon the additional information.

The above-described summary of the inventive concept does notnecessarily include all of features or combinations of the inventiveconcept. Further, sub-combinations of these features may constituteadditional embodiments of the inventive concept.

According to the forensic system, method, and program of the inventiveconcept, by selecting a specific individual, extracting only digitaldocument information which was accessed by the specific individual basedon access history information about the selected specific individual,setting additional information indicating whether or not document filesin the extracted digital document information are each related withlitigation, and outputting a document file related with the litigationbased on the additional information, the operators can extract only thedigital document information which was accessed by the specificindividual and analyze and evaluate the same without evaluating all ofthe digital document information within a range of an accessible rightpossessed by the specific individual who is related with the litigation.

The present system may extract only the digital document informationrelated with the specific individual among the flood of digital documentinformation, thereby achieving word load reduction for evidentiarymaterial preparation associated with the litigation.

According to the present forensic system, method, and program of theinventive concept, the second digital information recorded in the secondserver can be used, so that when the second digital document informationis extracted based on the second access history information, theoperators can extract only digital document information which wasaccessed by the specific individual from digital document informationrecorded in the second server, and analyze and evaluate the same withoutevaluating all of the digital information recorded in a plurality ofservers.

According to the present forensic system, the method, and program of theinventive concept, the text information extracting unit, the keywordselecting unit, and the searching unit are further provided, where, whenthe additional information setting unit sets additional information tothe searched document file, the operator(s) can narrow down only some ofthe digital document information recorded in the server which wasaccessed by the specific individual, and a population of digitaldocument information which is potentially related with the litigation,using a predetermined search.

According to the present forensic system, method, and program of theinventive concept, when a document file converted by the data convertingunit is processed with the same data format as the converted data formatin a period before it is outputted by the output unit, the operator(s)can reduce a wasteful step such as data format conversion in the courseof a processing flow, and they can exclude a risk of quality degradationof the digital document information.

Further, according to the forensic system, method, and program of theinventive concept, when the statistical data producing unit is provided,since statistical data can be visualized and provided to theoperator(s), the operator(s) can grasp the labor required for litigationpreparation in an early stage.

Further, according to the forensic system, method, and program of theinventive concept, when the digital information acquiring unit acquiresdigital document information and folder information which were producedafter a time and date previously clocked by the clock unit, and itacquires user information and access history information related withthe acquired digital document information and folder information, theoperator(s) can perform difference collection of digital information,which can reduce the load for acquiring the same digital informationfrom such a device as the server redundantly each time.

According to the forensic system, method, and program of the inventiveconcept, when the digital information extracting unit and the searchingunit are separated into various servers of a forensic system,respectively, the processing capacity of the whole system can beimproved by distributing calculation steps of respective processingunits to the respective servers.

The forensic system, method, and program may further include a pluralityof additional information setting units. The additional informationsetting units may set additional information by different operators,thereby enabling a plurality of individuals to evaluate digital documentinformation as a preparatory work for submitting evidentiary material toa court of law at an early stage.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing a forensic system in a firstembodiment of the inventive concept;

FIG. 2 is a diagram showing a flow of a forensic system service of theinventive concept;

FIG. 3 is a flow chart showing a present forensic process of theforensic system of the inventive concept; and

FIG. 4 is a block diagram showing a forensic system in a secondembodiment of the inventive concept.

DETAILED DESCRIPTION

Embodiments of the inventive concept will be described below withreference to the drawings.

FIG. 1 is a block diagram showing a forensic system 1 in an embodimentof the inventive concept. The forensic system 1 shown in FIG. 1 mayacquire digital information recorded in a plurality of computers (PC2 toPC5) and server 10 to analyze the acquired digital information. Theforensic system 1 is provided with digital information acquiring unit20. The digital information acquiring unit 20 may acquire digitalinformation 25 including digital document information composed of aplurality of document files 27 and/or user information 29 about usersusing the plurality of computers (PC2 to PC5) or server 10. The digitalinformation acquiring unit 20 may also acquire access historyinformation 28 showing the fact that the users accessed document files(e.g., 27) recorded in the server 10. The recording unit 30 may recordthe digital information (e.g., 25) acquired by the digital informationacquiring unit 20. The display unit 40 may display the recorded digitalinformation. The specific-individual selecting unit 50 may select, viathe display unit 40, a specific individual from users contained in theuser information 29. The digital document information extracting unit 60may extract only digital document information which was accessed by thespecific individual based on access history information related with theselected specific individual. An additional information setting unit 70may set, via the display unit 40, additional information showing whetheror not document files in the extracted digital document information areeach related with litigation. The output unit 120 may output a documentfile related with the litigation based on the additional information.

The control unit 160 may include the display control device 45, digitaldocument information extracting unit 60, text information acquiring unit80, managing unit 85, searching unit 100, data converting unit 110,statistical data producing unit 130, clock unit 140, and/or CPU 150.

Further, forensic system 1 may include a keyboard, a mouse or a datainput device such as a touch panel, if display unit 40 has a touch panelfunction. The data input devices may include specific-individualselecting unit 50, additional information setting unit 70, and keywordselecting unit 90.

Further, forensic system 1 may include a keyboard, a mouse or othersuitable data input device (not shown). Alternatively or in addition,the display unit 40 can include a touch panel having a touch panelfunction. The data input device may include or be connected to thespecific-individual selecting unit 50, additional information settingunit 70, and/or keyword selecting unit 90. The specificindividual-selecting unit 50, additional information setting unit 70,and keyword selecting unit 90 may be separate data input devices, oralternatively, a sole or combined data input device. Further, the outputunit 120 may be, for example, a recording device for recording data inan electronic medium or on other physical media such as paper via aprinter.

The forensic system 1 shown in FIG. 1 may execute a forensic programstored in an external storage device (not shown) on CPU 150 of thecomputer. The forensic program may be stored in a recording medium suchas CD-ROM, or distributed via a network such as the Internet, and/or maybe installed in one or more of the PCs or the server 10.

In the first embodiment described below, the forensic system 1 can be apersonal computer or associated with a personal computer. The forensicsystem 1 may be a server or a portable data assistance type of computerdevice. In another embodiment, the forensic system 1 may be a systemconfiguration of a network type.

The digital information acquiring unit 20 may acquire digitalinformation recorded in computers PC2 to PC5 or server 10 used by one ormore users. For example, the digital information acquiring unit 20 maycopy digital information 25 recorded in computers PC2 to PC5 or server10 to an electronic medium such as USB, CD, or DVD. The unit 20 mayfurther copy the digital information 25 to the forensic system 1 via theelectronic medium.

The digital information acquiring unit 20 may preserve or otherwisecollect the recorded digital information in computers PC2 to PC5 orserer 10 via network in the case where the forensic system 1 andcomputers PC2 to PC5 or server 10 are connected to the network.

The digital information acquiring unit 20 may collect recorded seconddigital information including second digital document information,second user information and second access history information in asecond server different from the server 10.

In this case, the forensic system 1 may extract second digitalinformation and the digital information from server 10. The forensicsystem 1 may extract second digital document information using thesecond access history information recorded in the second server.

The forensic system 1 may further include a text information extractingunit 80, which may extract text information from each of a plurality ofdocument files 27. The forensic system 1 may further include a keywordselecting unit 90, which may select a keyword, and searching unit 100,which may search a document file 27 including the selected keyword basedon the extracted text information from the recorded digital documentinformation.

The additional information setting unit 70 may set additionalinformation to the document file searched by the searching unit 100.

The forensic system 1 may further include a data converting unit 110.The unit 110 may convert and normalize digital documents, of digitaldocument information recorded by unit 30, to a common format. Thedocument file that is converted by the data converting unit 110 may beprocessed without further converting until being outputted from theoutput unit 120.

The forensic system 1 may further include a statistical data producingunit 130. The unit 130 may produce statistical data represented by orotherwise based on data size for each data format of the acquireddigital document information, and/or statistical data represented by orotherwise based on data size for each data format of the digitaldocument information searched by the searching unit 100.

The forensic system 1 may include a clock unit 140 to determine timeand/or date when the digital information is acquired. The digitalinformation may include folder information or other hierarchyinformation indicating where the digital document information is stored.The digital information acquiring unit 20 may acquire only the digitaldocument information and folder information, which were produced after atime and date previously clocked by clock unit 140. The unit 20 mayacquire only user information and access history information relatedwith the acquired digital document information and/or folderinformation.

The digital information may include the digital document information,the user information, the access history information, and/or the folderinformation. The clock unit 140 may calculate a time and/or date of thedigital information, which has been acquired by the digital informationacquiring unit 20. The display unit 40 may display content according toan instruction of the display control unit 45 included in the controlunit 160.

The digital information acquiring unit 20 may selectively acquire, fromcomputers PC2 to PC5 or server 10, digital document information andfolder information produced in a period from the (n-1)^(th) to n^(th)(e.g., n-2,3, . . . ) acquiring point. The digital information acquiringunit 20 may further acquire the user information and access historyinformation related with the acquired digital document information andthe folder information. The server 10 may include at least one server.For example, the server 10 may include a plurality of servers. Moreover,the server 10 may include at least two or more of a mail server, a fileserver, and a document management server.

The forensic system 1 may be used simultaneously by different operators.The additional information setting unit 70 may include a plurality ofdata input devices. The plurality of display units 40 may correspond innumber to the plurality of additional information setting units 70. Aplurality of operators may set additional information through theplurality of additional information setting units 70 whilesimultaneously evaluating digital document information.

The output unit 120 may output digital document information. Forexample, the output unit 120 may be a printer or other suitablerecording device, which records digital information on an electronicmedium.

FIG. 2 illustrates a service flow to explain a procedure for performingpreparatory work for submission of evidentiary materials to a court oflaw using the forensic system 1. Reference is now made to the variouselements of FIGS. 1 and 2.

When a crime or a legal conflict relating to a computer such asunauthorized access or leakage of confidential information or otherso-called “forensic” events occur, it is necessary to collect andanalyze devices, data, and/or electronic records, which are needed forinvestigation into the causes or to otherwise clarify legal evidencesthereof. For example, pertaining to civil litigation in the UnitedStates of America, since such a procedure as eDiscovery is required,both a plaintiff and a defendant involved in the litigation must submitall of related digital information as evidences. They also need tosubmit digital information recorded in computer(s) and/or server(s) asevidences.

The forensic system 1 may be used to preserve the digital informationrecorded in the computers, for example PC2 to PC5 and server 10, inorder to evaluate digital information related with the litigation,thereby conducting preparatory work to submit evidentiary materials tocourt of law. Thereafter, the forensic system 1 may register thepreserved digital information in a database such as recording unit 30,and analyze the digital information to classify the same based on thekeyword searching or filtering. The recording unit 30 may be included inone of the computers and/or servers connected to or otherwise includedin or associated with the forensic system 1.

The forensic system 1 may provide the classified digital information onthe display unit 40. Moreover, the operator(s) may review the data andset additional information to the digital document information via theadditional information setting unit 70.

The control unit 160 may include preservation and analysis functions,processing functions, analysis functions, search function, operators'reviewing functions, and/or producing functions. For example, thepreservation and analysis function of the control unit 160 may include acase management function (i.e., a function of managing unit 85), whichallows data management for each case. In addition, the control unit 160may include a file analysis function (i.e., a function of searchingfunction 100), which allows analysis of the kind of file and/or apossession amount thereof for each target individual and/or evidentiarymaterial. In addition, the control unit 160 may cause an analysis of afile to be performed or searched. Also, the control unit 160 may cause afile kind selection and/or extraction function to be performed (i.e., afunction of the digital document information extracting unit 60), whichallows selection of file type to be searched/browsed. Additionally, thecontrol unit 160 may cause a preservation function to be performed(i.e., a function of the data converting unit 110), which allowspreservation of the selected file as a separate file.

Further, the processing analysis and search function of control unit 160may have a full-text search function and a frequently-appearing word andphase top-extraction function (i.e., functions of the searching unit100). The full-text search function may be compatible withmulti-language, allows AND, OR, and NOT searches by Boolean operation,and/or a grouping search. In addition, the full-text search function mayhave a highlight display function of a searched word or phrase and/or aconversion function to meta data. Further, the full-text search functionmay have an advanced search function such as neighborhood search. Thefrequently-appearing word and phase top-extraction function is forextracting a frequently-appearing word or phrase within certain digitaldocument information.

The review function of the control unit 160 may include, for example, ane-mail family browsing processing function (i.e., a function ofsearching unit 100), which allows collective browsing of an e-mailfamily. In addition, the control unit 160 may include a free-design tagfunction (i.e., a function of searching unit 100), which allows searchfor material provided with one evaluation or a plurality of evaluationsas additional information based on the evaluation(s). Further, thecontrol unit 160 may include a free-design book-mark function (i.e., afunction of searching unit 100), which allows book-mark search formaterial set with a hierarchy structure book-mark. Also, the controlunit 160 may include a free-input comment column (i.e., a function ofthe managing unit 85) including a comment column in which any number ofcharacters can be inputted. In addition, the control unit 160 mayinclude a simultaneous browsing function for the above-describedplurality of operators to evaluate digital document information.Further, the control unit 160 may include an access right controlfunction (i.e., a function of the managing unit 85), which allowssetting of such rights as an access right, manager right, orbrowsing-only right, or the like, for each case, for each account of abrowser when performing review. Moreover, the control unit 160 mayinclude a writing-within-document memo function (i.e., a function of themanaging unit 85), which allows writing within a document withoutchanging the text of the digital document information. In addition, thecontrol unit 160 may include a case management function (i.e., afunction of the managing unit 85), which allows display of the number ofreview-completed documents (e.g., in terms of a percentage).

The control unit 160 may also include an e-mail threading function(i.e., a function of the managing unit 85), which displays e-mailthreads (such as returning, forwarding, and the like) collectively.Furthermore, the control unit 160 may include a mail analysis displayfunction (i.e., a function of statistical data producing unit 130),which displays transmissions and receptions of mails graphically. Inaddition, the control unit 160 may include a similar document displayfunction (i.e., a function of the managing unit 85), which performsautomatic classification of similar documents such as draft orold-version documents, and may cause the documents to be displayed.Further, the control unit 160 may include a similar document differencehighlight function (i.e., a function of the managing unit 85), whichhighlight-displays only a portion of a difference between similardocuments. Also, the control unit 160 may include a previous and nexttexts-search hit portion display function (i.e., a function of thesearching unit 100), which displays only the surrounding area of a wordor a phrase hit by searching.

The production function of the control unit 160 may include variousoutput functions. The output functions can be performed by the outputunit 120 according to an instruction from managing unit 85. The outputcan be an XML output of such information including, for example, anactual file, meta information, tag information, comma-separated value(CSV) information, and/or various other suitable load file outputs.Additional functions can include a batch printing function (i.e., afunction where output can be performed by the output unit 120 accordingto an instruction from the managing unit 85), which prints the selecteddigital document information.

The forensic system 1 may produce acquired data in an electronic mediumusing the output unit 120. For example, the forensic system 1 may recorddata in an electronic medium with a common data format by a recordingdevice.

A procedure for performing preparatory work for submission ofevidentiary materials to a court of law using the forensic system 1 willbe described in detail with reference to the flowchart shown in FIG. 3.

The digital information acquiring unit 20 may acquire digitalinformation 25 including digital document information 27 in a commonformat such as Word® format, PDF format, PPT format, and/or Excel®format, may acquire user information 29 about users who used thecomputers PC2 to PC5 or server 10, and may also acquire access historyinformation 28 indicating the user and above-mentioned digital documentinformation recorded in the server 10 (ST1).

The access history information 28 indicates a fact that the user whoused computers PC2 to PC5 accessed the digital document information 27recorded in the server 10 via network. For example, the access historyinformation 28 may include a user ID indicating who a user is, whichdigital document information the user accessed, and/or when the useraccessed the digital document information.

Explanation is made assuming that the number of computers (e.g., PC2 toPC5), which users utilized is four. However, it will be understood thatthe number of PCs is not limited to four, and any suitable number ofcomputers can be used. The digital information acquiring unit 20 mayrecord the acquired digital information to recording unit 30 (ST2).

The display unit 40 can display the digital information (e.g., thedigital document information, the access history information, the userinformation, and/or information showing only title of the digitalinformation) via the control unit 160 (ST3). For example, according toan instruction from the display control unit 45, the display unit 40 maydisplay all of the user information, the digital document information,and/or the access history information. In addition, the display unit 40may display attribute information (e.g., a name of a user, a file nameof a document file, an individual who conducted access, an access time,and/or a document file).

By way of another example, using a confirming a screen of the displayunit 40, the operator(s) may login to the forensic system 1 and furtherproduce a case, which is a unit of the uppermost data group in thedatabase of the forensic system 1. Further, while using the confirmingscreen of the display unit 40, the operator(s) may set a connectiondestination of a server corresponding to the recording unit 30 in whichthe digital information has been recorded. The operator(s) may furthermanage the association between the server and the recording unit 30. Insome embodiments, a plurality of recording units 30 are present.

Further, while using the confirming screen of the display unit 40, theoperator(s) may set a custodian (i.e., a data-holding target individualor a user) and management thereof. In addition, while using theconfirming screen of the display unit 40, the operator(s) may producetarget digital document information (i.e., a middle data group unit inthe database of the forensic system 1), or target information-collectedand preserved, and may control the status thereof. While using theconfirming screen of the display unit 40, the operator(s) may make aconnection of the custodian to the target information-collected andpreserved. For example, while using the confirming screen of the displayunit 40, the operator(s) may preset which custodian was related with thelitigation to a plurality of targets composed of the digital documentinformation acquired from the computers PC2 to PC5 or server 10. Whileusing the confirming screen of the display unit 40, the operator(s) canselect one or a plurality of targets to be analyzed. Thus, the controlunit 160 can acquire the digital information recoded in the recordingunit 30 to analyze the digital information by the various functionalunits.

The forensic system 1 may include the statistical data producing unit130, which produces statistical data represented by or otherwise basedon data size for each data format of the digital document informationrecorded in recording unit 30, or statistical data represented by orotherwise based on data size for each data format of the digitaldocument information searched by searching unit 100.

For example, while using the confirming screen of the display unit 40,the operator(s) can select a custodian to be analyzed and apredetermined path (e.g., directory) from a target corresponding to thecustodian to display a list of an analysis result of the number of filesand a size for each custodian. Further, while using the confirmingscreen of the display unit 40, the operator(s) can display the list ofthe analysis result of the number of files and a size for each path(e.g., directory) as a chart. Further, while using the confirming screenof the display unit 40, the operator(s) can display the analysis resultof the number of files and a size for each path (e.g., directory) as alist. Further, while using the confirming screen of the display unit 40,the operator(s) can display the list of the analysis result of thenumber of files and a size for each file type as a chart. Further, whileusing the confirming screen of the display unit 40, the operator(s) candisplay the list of the analysis result of the number of files and asize for each file type.

Moreover, while using the confirming screen of the display unit 40, theoperator(s) can display the list of the analysis result of the number offiles and a size for each file type as a chart. Further, while using theconfirming screen of the display unit 40, the operator(s) can displaythe list of the analysis result of the number of files and a size foreach file type of only a text-searchable file as a chart. Thetext-searchable file is a file where text information can bepreliminarily extracted from the digital document information recordedin the recording unit 30 by the text information acquiring unit 80.

Next, the operator(s) can select a specific individual (e.g., custodian)from users contained in the user information of the digital informationrecorded in the recording unit 30 using the specific-individualselecting unit 50 (ST4). While using the confirming screen of thedisplay unit 40, the operator(s) can select a case, custodian, and/ortarget.

When the operator(s) review or otherwise evaluate the digital documentinformation where an access right has been set to a custodian, if theindividual's rank is higher within an organization, the access right canbe set broader, so that numerous electronic documents, which are notrelated with the litigation and which were not actually browsed by theindividual, are eventually collected. In such case, a problem can occurwhere significant labor and cost are needed to perform the analysis inorder to find only documents related with the individual from anenormous amount of collected information.

To avoid such a problem, the digital document information extractingunit 60 can also extract only the digital document information which wasaccessed by the selected specific individual (e.g., custodian) based onthe access history information related with the selected specificindividual (ST5).

For example, when the operator(s) select Mr. Koh (e.g., personal name ofa custodian), only the document file which was accessed by Mr. Koh isextracted within the digital document information within the selectedtarget. By using the access history information, the operator(s) canextract the document file (e.g., browsed, edited, or produced), whichwas actually accessed by Mr. Koh. The access history information shows afact that a user, which used either of a plurality of computers,accessed the digital document information recorded in the server. Forexample, the access history information may include a user ID showingwho the user is, and the access history information may include accessinformation showing which digital document information the user accessedand when the user accessed the digital document information. Since theID information at Mr. Koh's utilization time of the computer or theserver, and the access history information about Mr. Koh, arepreliminarily recorded in recording unit 30, the operator(s) can extractthe digital document file which was accessed by Mr. Koh by taking acorrespondence relationship between Mr. Koh's ID and the document filewhich was accessed by Mr. Koh.

The example of Mr. Koh has been described, but when a plurality ofcustodians such as Mr. Otsu (e.g., personal name of another custodian)in addition to Mr. Koh are selected, the digital document informationextracting unit 60 can extract a document file related with theplurality of custodians.

As described above, when the operator(s) have set a relationship betweenthe target and the custodian, only a document file which was accessed bythe custodian who was actually selected by specific-individual selectingunit 50 within the target which was determined to be related andselected as the custodian at the target unit is consistently extracted.

Moreover, the operator(s) can search according to the function ofsearching unit 100, while using the confirming screen of the displayunit 40. Further, the display control unit 45 function allows theoperator(s) to perform simple browsing , while using the confirmingscreen of the display unit 40. The simple browsing allows theoperator(s) to grasp the contents of the digital document informationquickly and efficiently.

The operator(s) may set additional information to the extracted documentfiles in the digital document information to indicate whether or noteach of the document files is related with the litigation (ST6).Specifically, the operator(s) may add a tag for each document filedepending on its relationship with the litigation. The tag (e.g.,additional information) may include “hot” for a file related with thelitigation, “responsive” for one which may potentially be related withthe litigation, and/or “not responsive” for one which is not relatedwith the litigation. More specifically, the operator(s) may input a tagby clicking a file row in a batch list.

The operator(s) may use the output unit 120 to output the document filerelated with the litigation based on the additional information. Forexample, the operator(s) may output only a document file attached with“hot,” or may output document files attached with “hot” and“responsive,” among other possibilities and combinations. The outputunit 120 may output a document file related with the litigation based onthe additional information (ST7).

The forensic system 1 may include or otherwise be associated with aplurality of servers. The forensic system 1 may include digitalinformation extracting unit and a searching unit. The digitalinformation extracting unit and searching unit may be separated into thevarious servers to form the forensic system 1. The separated forensicsystems may be connected via a network.

By way of another example, a second embodiment will be described withreference to FIG. 4. The forensic system 1 may have a systemconfiguration of a network type as shown in FIG. 4. The secondembodiment of the inventive concept of the forensic system 1 may includeprocessing units similar to those of the forensic system 1 explained inthe first embodiment of the inventive concept. The processing units arelocated separately in a plurality of servers. The servers are connectedto each other via a network. Therefore, the servers may be locatedwithin the country, and the servers may be located in a distributedmanner regardless of home and/or abroad.

The display units 40 may be provided on clients PC 170 to PC 172. Thedisplay response of the display units 40 can be improved by collectingdata transmissions and receptions in a virtual client/server in a bundlebetween a plurality of clients (e.g., PCs) and a user interface (UI)server.

Thus, the forensic system 1 may be configured by the computer in asimilar fashion as the first embodiment, or alternatively, the forensicsystem 1 may be configured by the system of the network type similar tothe second embodiment.

According to the forensic system 1, the specific-individual selectingunit 50, additional information setting unit 70, and/or keyword settingunit 90 can correspond to the data input device provided in each ofclients PC 170 to PC 172.

By selecting a specific individual, sorting only digital documentinformation which was accessed by the specific individual based on theaccess history information about the selected specific individual,extracting the sorted digital document information, setting additionalinformation indicating whether or not the document files in theextracted digital document information are each related with thelitigation, and outputting the document file related with the litigationbased on the additional information, the forensic system 1 makes itpossible to extract and analyze only the digital document informationwhich was accessed by the specific individual without evaluating all ofthe digital document information within the range of the access rightpossessed by the specific individual, when the individual is involved inthe litigation.

Accordingly, the operator(s) can extract only the digital documentinformation related with the specific individual among the flood ofdigital document information, thereby achieving a work load reductionfor evidentiary material preparation in connection with the litigation.

The forensic system 1 can use the second digital information recorded inthe second server, and when extracting the second digital documentinformation based on the second access history information, the forensicsystem 1 may extract, analyze and evaluate only some of the digitaldocument information recorded in the second server, which was accessedby the specific individual without evaluating all of the digitalinformation recorded in the plurality of servers.

According to the forensic system 1, the text information extracting unit80 and searching unit 100 are provided, and when the additionalinformation setting unit 70 sets additional information to the searcheddocument file, the operators can narrow down only some of the digitaldocument information recorded in the server which was accessed by thespecific individual, and a population of the digital documentinformation, which is potentially related with the litigation, using apredetermining search.

According to the forensic system 1, when the document file converted bythe data converting unit 110 is processed with the same data format asthe converted data format in a period before it is outputted by theoutput unit 120, the operator(s) can reduce a wasteful step such as dataformat conversion in the course of the processing flow, and they canexclude a risk of quality degradation of the digital documentinformation.

According to the forensic system 1, when the statistical data producingunit 130 is further provided, statistical data can be visualized andprovided to the operator(s), so that labor required for litigationpreparation can be grasped early and efficiently.

Further, according to the forensic system, method, and program of theinventive concept, when the digital information acquiring unit 20acquires only the digital document information and folder information,which were produced after the time and date previously clocked by theclock unit, and acquires only the user information and the accesshistory information related with the acquired digital documentinformation and the folder information, the operator(s) can perform adifference collection of the digital information, which can reduce theload for acquiring the same digital information from such a device asthe server redundantly each time. According to the forensic system 1,when the digital information extracting unit 60 and searching unit 100are separated into different servers of the forensic system,respectively, a processing capacity of the whole system can be improvedby distributing calculation steps of respective processing units to therespective servers.

According to the forensic system 1, when simultaneous utilization by aplurality of operators is possible, the additional information settingunit 70 allows different operators to set additional information, sothat the operators can perform a preparatory work at an early stage by aplurality of individuals making a determination about whether or notdigital document information is evidentiary material to a court of law.

The embodiments of the inventive concept have been described above, butthe technical scope of the inventive concept is not limited to the scopedescribed in the above-described embodiments. It is apparent thatvarious modifications or improvements can be applied to theabove-described embodiments. It is apparent from the description of thescope of claims that an aspect which has been applied with such amodification or improvement can also be included in the technical scopeof the inventive concept.

Further, forensic systems 1 of the first embodiment and the secondembodiment may be configured by combining the respective whole systemsor respective processing units of the respective forensic systems 1.

1. A forensic system configured to acquire digital information recordedon a plurality of computers or a server to analyze the acquired digitalinformation, the forensic system comprising: a digital informationacquiring unit configured to acquire digital information containingdigital document information composed of a plurality of document files,to acquire user information about users using the plurality of computersor the server, and to acquire access history information which shows afact that the users accessed a document file recorded in the server; arecording unit configured to record therein digital information acquiredby the digital information acquiring unit; a display unit configured todisplay the recorded digital information; a specific-individualselecting unit configured to select, via the display unit, a specificindividual from at least one user contained in the user information; adigital document information extracting unit configured to extract onlydigital document information which was accessed by the specificindividual based on the access history information related with theselected specific individual; an additional information setting unitconfigured to set, via the display unit, additional informationindicating whether or not document files in the extracted digitaldocument information are each related with litigation; and an outputunit configured to output a document file related with the litigationbased on the additional information.
 2. The forensic system according toclaim 1, wherein the digital information acquiring unit is configured toacquire second digital information including second digital documentinformation, second user information and second access historyinformation, the second digital information being recorded in a secondserver different from the server; and the forensic system is configuredto use not only the digital information but also the second digitalinformation, and to extract the second digital document informationbased on the second access history information.
 3. The forensic systemaccording to claim 1, further comprising: a text information extractingunit configured to extract text information for each of the plurality ofdocument files from the recorded digital document information; a keywordselecting unit configured to select a keyword; and a searching unitconfigured to search a document file including the selected keywordbased on the extracted text information, wherein the additionalinformation setting unit is configured to set additional information tothe searched document file.
 4. The forensic system according to claim 1,further comprising: a data converting unit configured to convert thedocument file in the digital document information recorded by therecording unit to a predetermined data format, wherein the document fileconverted by the data converting unit is processed with the same dataformat as the converted data format in a period before being outputtedby the output unit.
 5. The forensic system according to claim 1, furthercomprising: a statistical data producing unit configured to producestatistical data represented by data size for each data format of theacquired digital document information or statistical data represented bydata size for each data format of the searched digital documentinformation.
 6. The forensic system according to claim 1, furthercomprising: a clock unit which, when newly acquiring digitalinformation, is configured to clock a time and date of the acquisitionof the digital information, the digital information further includingfolder information saving digital document information, wherein thedigital information acquiring unit is configured to acquire the digitaldocument information and the folder information which were producedafter a time and date previously clocked by the clock unit, and isconfigured to acquire user information and access history informationrelated with the acquired digital document information and the folderinformation.
 7. The forensic system according to claim 1, wherein theforensic system further includes a plurality of servers, the digitalinformation extracting unit and the searching unit are separate from theservers, respectively, and the separate digital information extractingunit, the searching unit, and the plurality of servers are connected toeach other via a network.
 8. The forensic system according to claim 1,wherein the forensic system is configured to be simultaneously used by aplurality of operators, and the additional information setting unit isconfigured to set additional information by different operators.
 9. Theforensic system according to claim 1, wherein the output unit is eitherone of a printer and a digital document producing device.
 10. A forensicmethod for acquiring digital information recorded on a plurality ofcomputers or a server to analyze the acquired digital information, themethod comprising: acquiring digital information containing digitaldocument information composed of a plurality of document files,acquiring user information about users using the plurality of computersor the server, and acquiring access history information which shows afact that the users accessed a document file recorded in the server;recording the acquired digital information; displaying the recordeddigital information; selecting a specific individual from at least oneuser contained in the user information; extracting only digital documentinformation which was accessed by the specific individual based on theaccess history information related with the selected specificindividual; setting additional information indicating whether or notdocument files in the extracted digital document information are eachrelated with litigation; and outputting a document file related with thelitigation based on the additional information.
 11. A recording programrecording therein a forensic program which acquires digital informationrecorded on a plurality of computers or a server to analyze the acquireddigital information, for causing a computer to execute: a function ofacquiring digital information containing digital document informationcomposed of a plurality of document files, acquiring user informationabout users using the plurality of computers or the server, andacquiring access history information which shows a fact that the usersaccessed a document file recorded in the server; a function of recordingthe acquired digital information; a function of displaying the recordeddigital information; a function of selecting a specific individual fromat least one user contained in the user information; a function ofextracting only digital document information which was accessed by thespecific individual based on the access history information related withthe selected specific individual; a function of setting additionalinformation indicating whether or not document files in the extracteddigital document information are each related with litigation; and afunction of outputting a document file related with the litigation basedon the additional information.